📄 netfilter log format.htm
字号:
<TD bgColor=#e2e2e2><TT>DF</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#e2e2e2><TT>MF</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#e2e2e2><TT>FRAG=179</TT></TD>
<TD><TT> </TT></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=2 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#e2e2e2><TT>OPT
(072728CBA404DFCBA40253CBA4032ECBA403A2CBA4033ECBA40<BR>2C1180746EA18074C52892734A200)</TT></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=2 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#e2e2e2><TT>PROTO=TCP</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>SPT=4515</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>DPT=111</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>SEQ=1168094040</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>ACK=0</TT></TD>
<TD><TT> </TT></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=2 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#ffffe0><TT>WINDOW=32120</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>RES=0x03</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>URG</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>ACK</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>PSH</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>RST</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>SYN</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>FIN</TT></TD>
<TD><TT> </TT></TD>
<TD bgColor=#ffffe0><TT>URGP=0</TT></TD>
<TD><TT> </TT></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=2 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#ffffe0><TT>OPT
(020405B40402080A05E3F3C40000000001030300)</TT></TD></TR></TBODY></TABLE>
<P>The items are explained in sequence: </P></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=2 width=640 border=1>
<TBODY>
<TR>
<TD vAlign=top><TT>Apr 16 00:30:45 <BR>megahard kernel: </TT></TD>
<TD vAlign=top>syslog prefix. It is not present if you read log
messages from the console. </TD></TR>
<TR>
<TD vAlign=top>
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#d0d0ff><TT>NF: D(I,Priv)
</TT></TD></TR></TBODY></TABLE></TD>
<TD vAlign=top bgColor=#d0d0ff>Enabled with:<TT><B> --log-prefix
<EM>'prefix'</EM></B></TT><BR>An arbitrary, user defined log
prefix. <B>Including the spaces.</B><BR>A trailing space is
necessary to keep the prefix separate from the next token; this is
a bug in netfilter. </TD></TR>
<TR bgColor=#e0ffe0>
<TD vAlign=top><TT>IN=eth1</TT></TD>
<TD>Interface the packet was received from. Empty value for
locally generated packets.</TD></TR>
<TR bgColor=#e0ffe0>
<TD vAlign=top><TT>OUT=</TT></TD>
<TD>Interface the packet was sent to. Empty value for locally
received packets.</TD></TR>
<TR bgColor=#c0ffff>
<TD
vAlign=top><TT>MAC=<BR>00:80:8c:1e:12:60:<BR>00:10:76:00:2f:c2:<BR>08:00</TT></TD>
<TD vAlign=top>Destination MAC=00:80:8c:1e:12:60,<BR>Source
MAC=00:10:76:00:2f:c2,<BR>Type=08:00 (ethernet frame carried an
IPv4 datagram) </TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>SRC=211.251.142.65</TT></TD>
<TD>Source IP address</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>DST=203.164.4.223</TT></TD>
<TD>Destination IP address</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>LEN=60</TT></TD>
<TD>Total length of IP packet in bytes</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>TOS=0x00</TT></TD>
<TD>Type Of Service, "Type" field.<BR>Increasingly being replaced
by <B>DS</B> and <B>ECN</B>. Refer to the <A
href="http://logi.cc/linux/netfilter-log-format.php3#IPheader">IP header</A>
info below. </TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>PREC=0x00</TT></TD>
<TD>Type Of Service, "Precedence" field.<BR>Increasingly being
replaced by <B>DS</B> and <B>ECN</B>. Refer to the <A
href="http://logi.cc/linux/netfilter-log-format.php3#IPheader">IP header</A>
info below. </TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>TTL=44</TT></TD>
<TD>remaining Time To Live is 44 hops.</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>ID=31526</TT></TD>
<TD>Unique ID for this IP datagram, shared by all fragments if
fragmented.</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>CE</TT></TD>
<TD>Presumably the "ECN CE" flag (Congestion Experienced).<BR>This
seems to be wrong because according to RFC2481, the CE bit is
located in the TOS field. Refer to the <A
href="http://logi.cc/linux/netfilter-log-format.php3#IPheader">IP header</A>
info below. </TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>DF</TT></TD>
<TD>"Don't Fragment" flag.</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>MF</TT></TD>
<TD>"More Fragments following" flag.</TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>FRAG=179</TT></TD>
<TD>Fragment offset in units of "8-bytes". In this case the byte
offset for data in this packet is 179*8=1432 bytes. </TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>OPT (0727..A200)</TT></TD>
<TD>Enabled with:<TT><B> --log-ip-options</B></TT><BR>IP options.
This variable length field is rarely used. Certain IP options,
f.e. source routing, are often disallowed by netadmins. Even
harmless options like "Record Route" may only be allowed if the
transport protocol is ICMP, or not at all. </TD></TR>
<TR bgColor=#e2e2e2>
<TD vAlign=top><TT>PROTO=TCP</TT></TD>
<TD>Protocol name or number. Netfilter uses names for TCP, UDP,
ICMP, AH and ESP. Other protocols are identified by number. A list
is in your <I>/etc/protocols</I>. A complete list is in the
file <A
href="http://www.isi.edu/in-notes/iana/assignments/protocol-numbers"><B><I>protocol-numbers</I></B></A>
</TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>SPT=4515</TT></TD>
<TD>Source port (TCP and UDP). A list of port numbers is in
your /<I>etc/services</I>. A complete list is in the file <A
href="http://www.isi.edu/in-notes/iana/assignments/port-numbers"><B><I>port-numbers</I></B></A>
</TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>DPT=111</TT></TD>
<TD>Destination port (TCP and UDP). See SPT above. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>SEQ=1168094040</TT></TD>
<TD>Enabled with:<TT><B> --log-tcp-sequence</B></TT><BR>Receive
Sequence number. By cleverly chosing this number, a cryptographic
"cookie" can be implemented while still satisfying TCP protocol
requirements. These "<A
href="http://cr.yp.to/syncookies.html">SYN-cookies</A>" defeat
some types of SYN-flooding DoS attacks and should be enabled on
all systems running public TCP servers.<BR><TT>echo 1 >
/proc/sys/net/ipv4/tcp_syncookies</TT> </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>ACK=0</TT></TD>
<TD>Same as the Receive Sequence number, but for the other end of
the TCP connection. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>WINDOW=32120</TT></TD>
<TD>The TCP Receive Window size. This may be scaled by
bit-shifting left by a number of bits specified in the "Window
Scale" TCP option. If the host supports ECN, then the TCP Receive
Window size will also be controlled by that. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>RES=0x03</TT></TD>
<TD>Reserved bits. The ECN flags "<B>CWR</B>" and "<B>ECNE</B>"
will show up in the two least significant bits of this field.
Refer to the <A
href="http://logi.cc/linux/netfilter-log-format.php3#TCPheader">TCP
header</A> info below. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>URG</TT></TD>
<TD>Urgent flag. See URGP below. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>ACK</TT></TD>
<TD>Acknowledgement flag. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>PSH</TT></TD>
<TD>Push flag. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>RST</TT></TD>
<TD>RST (Reset) flag. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>SYN</TT></TD>
<TD>SYN flag, only exchanged at TCP connection establishment.
</TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>FIN</TT></TD>
<TD>FIN flag, only exchanged at TCP disconnection. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>URGP=0</TT></TD>
<TD>The Urgent Pointer allows for urgent, "out of band" data
transfer. Unfortunately not all protocol implementations agree, so
this facility is hardly ever used. </TD></TR>
<TR bgColor=#ffffe0>
<TD vAlign=top><TT>OPT (020405...300)</TT></TD>
<TD>enabled with:<TT><B> --log-tcp-options</B></TT><BR>TCP
options. This variable length field gets a lot of use. Important
options include: Window Scaling, Selective Acknowledgement and
Explicit Congestion Notification. Refer to the <A
href="http://logi.cc/linux/netfilter-log-format.php3#TCPheader">TCP
header</A> info below. </TD></TR>
<TR bgColor=#e0ffe0>
<TD vAlign=top><TT> </TT></TD>
<TD>Unfortunately the rule number in the chain which matched the
packet is for architectural reasons not available in netfilter
logs. You will have to "cook your own" by using the user-prefix
feature. </TD></TR></TBODY></TABLE>
<P>
<TABLE cellSpacing=0 cellPadding=0 width=640 border=0>
<TBODY>
<TR>
<TD>More interesting files, such as
<B><EM>multicast-addresses</EM></B>, can be found in <A
href="http://www.isi.edu/in-notes/iana/assignments/">http://www.isi.edu/in-notes/iana/assignments/</A>.
<P>
<BLOCKQUOTE></BLOCKQUOTE></TD></TR></TBODY></TABLE> <BR><A
href="http://logi.cc/linux/NF-log-issues.php3">
<H3>Issues with netfilter log format</H3></A>Also suggests an
alternative log format.
<P>The ULOG module looks like a suitable future remedy. <BR> <BR>
<H2>Protocol Header Information </H2><A name=IPheader></A>
<H4>IP Header Format as defined in <A
href="http://www.faqs.org/rfcs/rfc791.html">RFC-791</A>:</H4>
<BLOCKQUOTE>
<TABLE cellSpacing=0 cellPadding=0 width=640 border=1>
<TBODY>
<TR>
<TD align=middle width=20>0</TD>
<TD align=middle width=20>1</TD>
<TD align=middle width=20>2</TD>
<TD align=middle width=20>3</TD>
<TD align=middle width=20>4</TD>
<TD align=middle width=20>5</TD>
<TD align=middle width=20>6</TD>
<TD align=middle width=20>7</TD>
<TD align=middle width=20>8</TD>
<TD align=middle width=20>9</TD>
<TD align=middle width=20>10</TD>
<TD align=middle width=20>11</TD>
<TD align=middle width=20>12</TD>
<TD align=middle width=20>13</TD>
<TD align=middle width=20>14</TD>
<TD align=middle width=20>15</TD>
<TD align=middle width=20>16</TD>
<TD align=middle width=20>17</TD>
<TD align=middle width=20>18</TD>
<TD align=middle width=20>19</TD>
<TD align=middle width=20>20</TD>
<TD align=middle width=20>21</TD>
<TD align=middle width=20>22</TD>
<TD align=middle width=20>23</TD>
<TD align=middle width=20>24</TD>
<TD align=middle width=20>25</TD>
<TD align=middle width=20>26</TD>
<TD align=middle width=20>27</TD>
<TD align=middle width=20>28</TD>
<TD align=middle width=20>29</TD>
<TD align=middle width=20>30</TD>
<TD align=middle width=20>31</TD></TR>
<TR bgColor=#e2e2e2>
<TD align=middle colSpan=4 height=30>IP Version</TD>
<TD align=middle colSpan=4>Hdr.Length</TD>
<TD align=middle bgColor=#c8c8c8 colSpan=8><B>TOS /
DS,ECN</B></TD>
<TD align=middle colSpan=16>Total Length</TD></TR>
<TR bgColor=#e2e2e2>
<TD align=middle colSpan=16 height=30>Identification</TD>
<TD align=middle>-</TD>
<TD align=middle>DF</TD>
<TD align=middle>MF</TD>
<TD align=middle colSpan=13>Fragment Offset</TD></TR>
<TR bgColor=#e2e2e2>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -